Strategic insightsThe First Rule of Privacy

Privacy is a big topic online, and there are many different opinions about it. But all the privacy problems can be summed up into one simply rule that cannot be broken.

It goes like this:

The rule really is that simple, and it also the only rule that applies to privacy - and it covers any situation.

No company, group, automated system, code algorithm, or other person can decide what I want to share. Just as none can decide that I should share something with an external party. I am the only one who have that power.

And you can say the same. You are the only one who can decide what you want to share. Nobody else can do that. I cannot decide what you want to share, just as you cannot decide what I want to share.

This first rule of privacy should be at the very core or any business. You must never create an app that violates this simple principle. There is no such thing as opt-out. And there is no such thing as “we shared this content because we thought you wanted to do that.”

You can make suggestions. You can even make it really easy to share. But your app cannot decide what should be shared. The keyword here is “ who makes the decision?” and only the individual in question have the power to decide.

It is then, quite extraordinary, that we see so many companies constantly violating this simple principle. From:

Small twitter apps that proudly proclaim that “The last 5 people who used this product were [list]”

Apps that automatically tweets that “Thomas Baekdal just signed up for [app]”

Apple iWork.com that automatically picks a picture for your public profile from your computer

Facebook

Take Facebook. They are right now changing their platform from a mostly private social network, to a very public one. This is absolutely the right thing to do, and it is a very important change for Facebook.

The problem is not that they are changing the platform to a public one, but how they are doing it. Because, to re-quote the first rule of privacy “I am the only one who can decide what I want to share” - Facebook is not allowed to make that decision.

One example. In the past, the Facebook pages that you followed wasn’t shared with anyone but your friends. But in a recent redesign, Facebook decided to make that information readily available to anyone.

The keyword here, is again, “who made the decision?”

You are the only one who can decide to share that information. Facebook is not allowed to do it, and when they did, they violated the one and only rule of privacy.

But it gets worse. The second worse thing about privacy, apart from violating it, is to turn it into a setting.

Facebook’s way of not violating your privacy is to give you micro-management control over each little thing, and how that is shared.

Seventeen steps! Of which, many require that you go through interfaces like this one (which puts it is closer to 200 steps):

Come on Facebook! This is not the solution. This is what happens when engineers take over.

Google Buzz

Google made an even bigger blunder with Google Buzz, because they took information that is highly sensitive, and automatically made it publicly available - namely, the people you communicate with the most.

Google has actually been very good at privacy in the past, and while most of the negative “buzz” about buzz was completely unfounded (like it was a privacy issue that you could not decide who could follow your public buzz, which they could do anyway - since it was public), the few things that were real, were also a huge deal.

Google made the blunder that everyone makes. They decided what I wanted to share. And - again - “I am the only one who can decide what I want to share.” It’s a very very simple rule. It’s not hard to understand.

To Google’s credit, they very quickly solve many of the privacy issues. But to their discredit, they solved it by doing what Facebook does - add settings. They put it into the hands of the user to set up and fiddle with the system, to protect their privacy.

Again, this is the wrong way to solve the problem.

Disqus

Let’s move on to something that isn’t a privacy issue.

Disqus is a brilliant commenting system, for many reasons. It’s socially connected, it works across different sites, it is largely spam free, and it got many really useful features for both me as a site owner, and people as commenters.

It’s not perfect, it has its quirks now and then, but it is definitely something I recommend.

But, what you may not know is that when you sign up for Disqus, a public page is created, featuring every single comment you have ever posted on every site that uses Disqus.

It looks like this:

This sounds like a privacy issue, right?

Disqus is creating a page where you can get a very detailed picture of a person. You can see what sites he is visiting and get a sense of his comments in other places. Privacy advocates specifically do not like this sort of thing.

But again, the keyword here is “who made the decision to share.” And here you did. You shared a comment, and Disqus are merely acting on the result of you sharing something with the public - just in the same way as you can search for a person’s comments on Google.

This is not a privacy issue. People may not like it, but they have to remember that they were the ones who decided to share it in the first place.

But Disqus isn’t all good. If you look at the sidebar, you can see that Disqus is also listing all the blogs that I have set up with Disqus. This is a violation of my privacy, because I didn’t decide to share that information. Disqus did. Setting up a system, isn’t sharing.

This is actually a bit of a problem for me. The two extra blogs are clients of mine, and I am very careful about what I share about my clients - again - because the client is the only one who can decide what they want to share.

I can encourage my clients to share more (and I very often do), but they have the exclusive rights to decide what gets shared.

In the case of Disqus, creating a public profile containing all your public comments isn’t a privacy issue. Because you are the one who decided to share the comments in the first place.

But displaying additional information in the sidebar, things that I didn’t share, are a privacy issue, and a violation.

Privacy is really simple

In short, there is only one rule, which is:

The distinction is “who made the decision?” and the active element is “sharing”.